Tools

DNS & Email Security Tools

The best free and freemium tools for diagnosing DNS configurations, auditing email authentication, debugging DNSSEC, and monitoring propagation.

Categories

Tool Categories

Multi-Tool Suites

One-stop diagnostics covering DNS, email headers, blacklists, and propagation.

DMARC & Email Auth

Purpose-built platforms for deploying and monitoring SPF, DKIM, and DMARC.

DNSSEC Tools

Visualize and debug DNSSEC delegation chains and trust anchors.

DNS Health & Propagation

Zone health reports and global propagation checkers.

Directory

Top DNS & Email Security Tools

Vetted tools used by DNS administrators, security engineers, and email deliverability specialists

MXToolboxMulti-Tool Suite

The go-to web suite for DNS and email diagnostics. Look up MX, SPF, DKIM, DMARC, blacklist status, SMTP headers, and more. The SuperTool accepts a domain or IP and auto-detects what to check.

  • MX record lookup
  • Blacklist check
  • SPF/DKIM/DMARC analysis
  • SMTP diagnostic
  • DNS propagation check
FreeWebEmailBlacklist
Open Tool →
Cloudflare RadarDNS Resolver & Analytics

Cloudflare's public DNS resolver (1.1.1.1) with privacy focus, plus Radar for global traffic trends, outage detection, BGP routing data, and DNS query insights. Also offers a DNS-over-HTTPS and DNS-over-TLS endpoint.

  • Fast public resolver (1.1.1.1)
  • Global internet traffic trends
  • BGP and routing data
  • Outage and anomaly detection
FreePublic ResolverAnalyticsPrivacy
Open Tool →
MailhardenerEmail Security Auditing

Automated auditing platform for email authentication records. Continuously monitors SPF, DKIM, DMARC, BIMI, and MTA-STS configurations and alerts on misconfigurations, policy drift, and unauthorized senders appearing in DMARC aggregate reports.

  • DMARC aggregate report analysis
  • SPF/DKIM/BIMI audit
  • Continuous monitoring
  • Unauthorized sender detection
FreemiumDMARCSPFDKIMMonitoring
Open Tool →
DNSVizDNSSEC Visualizer

Visual analysis and debugging tool for DNSSEC delegation chains. Traces the full chain of trust from the root to your zone, highlighting broken signatures, missing DS records, expired keys, and misconfigured trust anchors.

  • DNSSEC chain of trust visualization
  • Debug DS/DNSKEY mismatches
  • Zone delegation analysis
  • NSEC/NSEC3 inspection
FreeDNSSECVisualizationDebugging
Open Tool →
DMARC AnalyzerDMARC Reporting

Dedicated DMARC reporting and management platform. Parses XML aggregate reports from receiving mail servers, surfaces unauthorized senders, tracks SPF/DKIM alignment, and guides you through the p=none → p=quarantine → p=reject journey.

  • DMARC aggregate report parsing
  • Sender alignment tracking
  • Policy enforcement progression
  • Forensic report analysis
FreemiumDMARCReportingEmail
Open Tool →
Google Admin ToolboxEmail & DNS Diagnostics

Google's suite of mail and DNS diagnostic tools. Check MX includes a guided SPF, DKIM, and DMARC checker with plain-language explanations. Dig, Browserinfo, and HAR analyzer are also included.

  • MX + SPF + DKIM + DMARC check
  • DNS lookup (Dig)
  • Browser diagnostics
  • Header analysis
FreeGoogleEmailDNS Lookup
Open Tool →
intoDNSDNS Health Check

Comprehensive DNS health report for a domain. Checks nameserver configuration, zone consistency, SOA record validity, lame delegation, open recursion, MX priority, and common misconfigurations — all in a single pass.

  • Full DNS zone health report
  • Nameserver consistency check
  • SOA and MX validation
  • Lame delegation detection
FreeDNS HealthZone Check
Open Tool →
DKIM CoreDKIM Key Tools

Simple tools for generating DKIM key pairs and checking published DKIM public keys. Useful when setting up DKIM signing for the first time or verifying that a key was published correctly in DNS.

  • DKIM key pair generation
  • Published DKIM record lookup
  • Key format validation
FreeDKIMKey Generation
Open Tool →
GlobalDNS CheckerDNS Propagation

Check DNS propagation across dozens of resolvers worldwide simultaneously. See which servers have picked up a new record and which are still serving the old value — essential after making DNS changes.

  • Global propagation check
  • TTL expiry monitoring
  • Multi-region resolver comparison
FreePropagationGlobal
Open Tool →
SPF Record CheckerSPF Validation

Validates SPF records against RFC 7208. Tests the full SPF evaluation for a given sender IP and domain pair, reports lookup count (must stay under 10), and flags syntax errors and permerror conditions.

  • SPF syntax validation
  • Lookup limit check (10 max)
  • Sender IP evaluation
  • Permerror diagnosis
FreeSPFRFC 7208
Open Tool →
TLSA Record GeneratorDANE / TLSA

Generates TLSA DNS records for DANE (DNS-Based Authentication of Named Entities). Input a certificate or chain and the tool outputs the correctly formatted TLSA record for publishing in DNS — useful for securing SMTP, HTTPS, and other TLS services with DANE.

  • TLSA record generation from certificate
  • DANE-SMTP configuration
  • DANE-HTTPS setup
  • Certificate hash extraction
FreeDANETLSATLS
Open Tool →
DemarclyDMARC Reporting

DMARC reporting and monitoring platform focused on simplicity and actionable insights. Parses aggregate reports, identifies unauthorized senders, tracks alignment failures, and provides a clear path to enforcing DMARC policy.

  • DMARC aggregate report analysis
  • Unauthorized sender identification
  • Alignment tracking
  • Policy enforcement guidance
FreemiumDMARCMonitoringEmail
Open Tool →
SpamhausBlocklist & Reputation

The internet's most widely used DNS blocklist (DNSBL) provider. Spamhaus maintains the SBL (Spam Block List), XBL (Exploits Block List), PBL (Policy Block List), and DBL (Domain Block List) — used by mail servers worldwide to reject spam and malicious senders. The lookup tool lets you check whether an IP or domain is listed and why.

  • IP blocklist lookup (SBL/XBL/PBL)
  • Domain blocklist check (DBL)
  • Delist request submission
  • Mail server reputation check
  • DNSBL integration reference
FreeDNSBLBlocklistAnti-SpamReputation
Open Tool →
Proxmox Mail GatewayEmail Gateway

Open-source enterprise email gateway with spam filtering, virus scanning, and email security policy enforcement. Sits in front of your mail server and enforces SPF, DKIM, and DMARC checks on inbound mail. Includes a web management UI and detailed mail queue visibility.

  • Inbound spam and virus filtering
  • SPF/DKIM/DMARC enforcement
  • Mail queue management
  • Email quarantine and release
  • Outbound relay with signing
FreeOpen SourceSelf-HostedGatewayAnti-Spam
Open Tool →
Command Line

Essential CLI Tools

Built-in and installable command-line tools every DNS administrator should know

digIncluded in bind-utils / dnsutils

The standard DNS query tool. Supports all record types, DNSSEC (with +dnssec), trace mode (+trace), and batch queries. Available on Linux and macOS by default.

dig example.com MX +short
dig @8.8.8.8 example.com TXT
dig +trace example.com
drillPart of ldns (ldns-utils)

Similar to dig but with cleaner DNSSEC output. Designed specifically for DNSSEC debugging — shows the full signature validation chain with -D flag.

drill -D example.com
drill -k /etc/unbound/root.key example.com
nslookupIncluded on Windows, macOS, Linux

Simple interactive DNS query tool. Less feature-rich than dig but universally available and useful for quick lookups and testing specific nameservers.

nslookup -type=MX example.com
nslookup example.com 8.8.8.8
hostPart of bind-utils / dnsutils

Lightweight DNS lookup tool with concise output. Good for quick record checks and reverse DNS lookups without dig's verbosity.

host example.com
host -t TXT example.com
host 8.8.8.8